Out of the Shadows, China Hackers Turn Cyber Gatekeepers

Many Chinese hackers are finding it increasingly lucrative to join the country's nascent cybersecurity industry.

869

By Paul Carsten & Gerry Shih 29 June 2015

BEIJING — China, long accused by the United States of rampant cyber aggression, may be synonymous with hacking exploits these days, but that doesn’t mean every Chinese hacker is out to pilfer and destroy.

As Chinese companies grapple with a sharp increase in the number of cyberattacks, many hackers are finding it increasingly lucrative to go above board and join the country’s nascent cybersecurity industry.

Zhang Tianqi, a 23-year old Beijinger, cut his chops in high school trying to infiltrate foreign websites, skirting domestic law by probing for vulnerabilities on overseas gaming networks.

Now, after a stint working at internet bluechip Alibaba Group Holding Ltd, he is the chief technology officer of a Shanghai-based cybersecurity firm which owns Vulbox.com, a site offering rewards for vulnerability discoveries, and internet security media site FreeBuf.com.

“I’d been messing around in the field in my early years, but luckily it just so happens now that there’s this trend of China taking information security very seriously,” Zhang said on June 18, from his office in a high-tech development in eastern Shanghai.

China’s President Xi Jinping has made cybersecurity a national priority as the country starts to feel the impact of rapid economic growth occurring without a corresponding development in data protection.

In May, China’s National Computer Network Emergency Response Technical Team, a non-profit agency, said it had recorded 9,068 instances of data leaks in 2014, three times as many as in 2013, reflecting the “grim challenges” of Chinese cybersecurity, according to the official Xinhua news agency.

To try and tackle this, dozens of cybersecurity companies are now cropping up across China according to industry observers, populated by young techies with bona fide security skills and work experience at firms like Alibaba, Tencent Holdings Ltd and Baidu Inc.

China is hoping that eventually domestic cybersecurity groups will provide most of its companies with defences against hacking, rather than them relying on foreign firms like Symantec , Kaspersky and EMC Corp’s RSA.

The gradual professionalism of China’s bedroom hackers traces the country’s rise as an economic and technological force, and its sometimes conflicted position in the escalating global data security arms race.

The US government has attributed sophisticated attacks—including the large-scale data theft this month from the Office of Personnel Management (OPM)—to increasingly advanced state-affiliated teams from China.

But former hackers say the majority of their peers are joining a burgeoning industry to help China firms fend off the numerous attacks they face themselves.

China has denied any connection with the OPM attack and little is known about the identities of those involved in it.

The Cyberspace Administration of China told Reuters in a June 19 fax that it opposes “any form of network attack” and does “not allow any groups or individuals to engage in network-attacking activities” within its borders.

The cybersecurity industry’s growth was partly spurred by a government crackdown on China’s hacking community five years ago—around the same time Beijing passed a series of laws banning hacking and spamming tools and requiring telecom operators to help suppress attacks.

Government sweeps largely silenced once-raucous online forums like kanxue.com, where hackers traded tips and boasted about their conquests.

Many chose to shift from “black hat” activities to “white hat” ones, using their skills to find network vulnerabilities so that they can be fixed.

“Many people feel that now white hats have some space to do things, or make money, while hackers can’t do bad things anymore,” said one hacker who asked not to be identified because of his former work with the government.

Aside from companies like Alibaba, Tencent and Baidu beefing up their defences, China’s government has also been working to ramp up the data security of the country as a whole.

Agencies including the Cyberspace Administration of China have led educational efforts around promoting data security.

Still, many “white hats” say Chinese companies continue not to take the matter of information security seriously enough, neglecting to hire enough people in-house to protect themselves.

“I hope we can give people a wake-up call,” said the former government hacker.

Even with the current progress, it’s likely to be a long and laborious effort, with China saying it is often the target of sophisticated attacks from overseas.

Last month, Chinese security company Qihoo 360 Technology Co Ltd issued a report saying it had discovered a series of cyber-intrusions against important Chinese targets that lasted for years. These include a government maritime agency, research institutions and shipping companies.

Zhang says that while the finger is often pointed at China for hacking attacks, the country is still playing catch up with the United States on both the cyber security, and cyber espionage fronts.

“When China’s measured up against the American giants, the level of their hacks, their data security, the scale and the harm they can do is all much greater.”